Guaranteeing Weak Termination in Service Discovery

Transcription

1 Fundamenta Informaticae XXI (2001) IOS Press Guaranteeing Weak Termination in Service Discovery Karsten Wolf Universität Rostock, Rostock, Germany Daniela Weinberg, Janine Ott, Robert Danitz Institut für Informatik Humboldt-Universität zu Berlin, Unter den Linden 6, Berlin, Germany Christian Stahl Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Bo 513, 5600 MB Eindhoven, The Netherlands Abstract. A big issue in the paradigm of Service Oriented Architectures (SOA) is service discovery. Organizations publish their services via the Internet. These published services can then be automatically found and accessed by other services, meaning, the services are composed. A fundamental property of a service composition is weak termination, which guarantees the absence of deadlocks and livelocks. In principle, weak termination can be verified by inspecting the state space of the composition of (public views of) the involved services. We propose a methodology to build that state space from precomputed fragments, which are computed upon publishing a service. That way, we shift computation effort from the resource critical find phase to the less critical publish phase. Interestingly, our setting enables state space reduction methods that are intrinsically different from traditional state space reductions. We further show the positive impact of our approach to the computational effort of service discovery. Keywords: deadlock- and livelock freedom, SOA, service discovery, state space reduction Address for correspondence: Universität Rostock, Rostock, Germany supported by the DFG within grant Operating Guidelines for Services (WO 1466/8-1)

2 1002 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1. Introduction 1.1. Background and motivation Today s organizations are challenged to continuously adapt their systems to address changes in their environment. On the one hand, systems are highly comple, run in heterogenous environments, and are often distributed over several organizations. On the other hand, the ever-changing market conditions and regulations reuire organizations to act fleibly. Systems are subject to ongoing changes, but the integration of these changes should not take much time. Hence, new technologies are needed to support the development and maintenance of such systems. Service Oriented Computing (SOC) [30] is a novel computing paradigm that facilitates the design of comple systems by connecting less comple systems, called services. A service encapsulates a certain functionality and offers it to other services over a well-defined interface. The interface of a service consists of a set of message channels and is used to communicate with other services. To this end, services are composed by connecting their message channels. The key technology to design and to eecute systems according to the paradigm of SOC is a Service Oriented Architecture (SOA). A SOA provides an IT infrastructure for publishing services of an organization via the Internet. Using standardized interfaces and message protocols these published services can then be automatically found and accessed by other organizations. That way, a SOA enables interoperability between systems and hence reduces compleity of systems. A SOA defines three roles of services: a service provider offers the functionality of his service by publishing it (or an abstract version, the public view) in a service registry; a service broker manages the registry; a service reuester ueries the registry of a broker to find a service which provides certain functionality. If an appropriate service has been found in the registry, the broker returns the relevant data needed to establish a connection between the service of the reuester and the service of the provider. As each service is published only once, but potentially considered in the find reuest multiple times, we epect that the number of find reuests at a broker s registry is significantly greater than the number of publish events. Moreover, answering a find reuest appears to be more resource (time and memory) critical than processing a publish event, as the find reuest may be much closer in time to the actual eecution of the composed system. Service discovery that is, the selection of an appropriate service is a comple task. The selection of a certain service needs to take care of issues concerning the reuested functionality and semantical, behavioral, and nonfunctional aspects. In this article, we consider the behavioral aspects of service discovery and concentrate on the proper interaction between the two services; that is, we abstract from semantical and nonfunctional aspects and consider only data types and message types and not their content. Most articles on this issue [24,43] use deadlock freedom as a definition of proper interaction, but in practice a stronger correctness criterion is reuired that ensures in addition to the absence of deadlocks also the absence of livelocks (a livelock is a set of states which does not contain a final state and which cannot be left) in a service composition. We refer to this criterion as weak termination. Although relevant service description languages, such as WS-BPEL [5], avoid deadlocks and livelocks in single services, they cannot prevent them in service compositions [21]. In a naive approach toward ensuring weak termination, the service provider would publish a description of its service or an abstract version of it (e. g., described in WS-BPEL) in a registry. If a service reuester ueries this registry, then the broker has to find a service P in this registry such that the com-

3 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1003 position of P and the service R of the reuester is weakly terminating. To this end, the reuester needs to provide information about his service R usually in the form of a service description of R. Then, the broker would construct the transition systems that reflects the behavior of the composition of the two services P and R and model check it for weak termination. If the composition of two services is weakly terminating, we say that both services match. In the branching time logic CTL, weak termination can be formalized by AG EF final state; that is, from every state that is reachable from the initial state, it is always possible to reach a final state. This procedure would then be eecuted upon every find reuest. We argued earlier that a find reuest is rather resource critical. For this reason, our approach shifts this computation effort from the find reuest to the eecution of a publish event Approach In the following, we illustrate our approach, and we eplain in a second step how it can be applied to support service discovery. Let P and R be services, and let P R be their composition. As services interact asynchronously, the composition P R interleaves transitions of P and R. Thus, our idea is to precompute those parts of P R that take place between two subseuent transitions of R. We refer to such a part as a fragment of P. We shall show that there eists a finite set of fragments of P from which we can build arbitrary composed systems involving P. In particular, this set is independent of any R to be composed with P. A big advantage of this approach is that we can apply substantial state space reduction techniues to the fragments, thus computing a composed system from fragments of P that is significantly smaller than the original system P R. As a result, we need to verify only a smaller state space for weak termination. The approach is applicable, because the proposed reduction techniues guarantee that the computed composed system is weakly terminating if and only if P R is. Interestingly, the described setting calls for a way of state space reduction that differs significantly from standard model checking approaches. In model checking [10], it typically does not make much sense to reduce state spaces a posteriori that is, after their actual calculation. In our setting, however, it makes sense to reduce the internal state space of fragments once they have been computed, because their actual integration into a complete transition system takes place at a different point in time. For our a posteriori state space reduction, we use a set of reduction rules adapted from [18]. Our proposed approach can be applied to support service discovery. We propose that a service provider publishes its service P in the repository of a broker. The broker then computes the (reduced) fragments of P. Clearly, this computation reuires some computational effort, but in the publish phase time is not a critical resource. The reduced fragments provide the broker with sufficient information to check whether a reuesting service R matches with P. At the moment of a find reuest of a service R, the broker receives the service description of R and calculates the composed system of P and R from the reduced fragments of P. In a net step, the broker model checks the composed system for weak termination. As our approach results in a system with a smaller state space than the state space of the original system P R, the actual check will be faster. This speed up is achieved by shifting computation time (for the fragments reduction) from the find phase to the publish phase. In practice, services P and R are usually not formally modeled. Instead, various service description languages have been proposed by different industrial consortiums. Most prominent languages are WS- BPEL [5] and BPMN [29]. As our approach is based on a formal service description we use state

4 1004 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery machines the broker has to translate services P and R into a formal model. The eistence of formal semantics for most service description languages and tools to automatically translate a service into a formal model proves suitability of our approach (e. g., [11, 20]). This article is an etended version of [42] where we introduced the methodology of constructing the state space P R from a given service R and the set of (reduced) fragments of a service P. In this article, we etend the results of [42] by providing complete proofs for the fragment reduction. In addition, we present eperimental results for matching (i. e., model checking the constructed state space P R for weak termination). Our results show that the state space P R calculated from reduced fragments of P is significantly smaller than the state space of the composition of P and R. We continue by providing our service model and other basic concepts in Sect. 2. In Sect. 3, we introduce the computation of fragments of a service P and the construction of a transition system P R given the fragments of P and a service R. We present reduction rules to condense fragments in Sect. 4. Eperimental results in Sect. 5 validate the applicability of our methodology. In Sect. 6, we present related work, and conclusions are drawn in Sect Basic concepts In this section, we describe our service model, state machines, simulation between service models and the notion of a partner Behavioral models for services A service consists of a control structure describing its behavior and of an interface to communicate asynchronously with other services. An interface is a set of (input and output) channels. In order that two services can interact with each other, an input channel of one service has to be connected to an output channel of the other service. Asynchronous message passing means that communication is nonblocking; that is, after a service has sent a message, it can continue its eecution and does not have to wait until this message is received. Furthermore, messages can overtake each other; that is, the order in which the messages are sent is not necessarily the order in which they are received. In practice, there eist many languages to describe the behavior of services. Most prominent are WS-BPEL and BPMN. In this article, we abstract from the actual synta of service description languages and use state machines as a basic formalism to model service behavior. For the labeling, we fi a universe MC of message channels with / MC. Definition 2.1. (State machine) A state machine P = [Q, L I, L O, δ, ˆ, W ] consists of a countable set Q of states, a set L I MC of input labels and a set L O MC of output labels with L I L O = ; the internal label is denoted by / (L I L O ), a transition relation δ Q (L I L O {}) Q on states, an initial state ˆ Q, and

5 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1005 a set W Q of final states. P is deterministic if and only if, for all,, Q, L I L O, [,, ] δ implies = and [,, ], [,, ] δ implies =. P is a finite state machine if and only if Q, L I, and L O are finite. The transition relation δ reflects state changes of a state machine. For any two states and and any action (MC {}), we write if an -labeled transition eists from to. We write if there eists a such that. By, we represent that there eists a (possibly empty) seuence 1... n of transitions from to and say that is reachable from. An -labeled transition [,, ] δ is a sending transition if L O, a receiving transition if L I, and an internal transition if =. In the graphical representation of a state machine, we label a transition with! if L O and? if L I. In order that two services can interact with each other, they have to be composed; that is, an input channel of one service has to be connected to an output channel of the other service. Two state machines P and R are composable if they have disjoint sets of states, the input channels of P are the output channels of R, and vice versa. The composition P R of composable state machines P and R introduces an internal message bag B (i. e., a multiset) of pending asynchronous messages that were sent by one state machine, but not yet received by the other one. That way, an -labeled sending transition of P adds in P R one element to the message bag B. Correspondingly, a transition receiving an removes an from the message bag B. Internal transitions remain as internal transitions in P R. We assume that transitions in P R inherit their label from the originating transition in P and R, respectively. In contrast to actual service models, however, a label in a composed system just serves as an annotation and is not meant to establish communication with a third service. The annotated labels will significantly simplify some considerations in the remainder. We formalize composition of state machines in the following definition. Let Bags(MC) denote the set of all multisets over MC, and let [ ] denote the empty multiset. Addition of multisets is defined pointwise. Definition 2.2. (Composition of state machines) Two state machines P = [Q P, L I P, LO P, δ P, ˆ P, W P ] and R = [Q R, L I R, LO R, δ R, ˆ R, W R ] are composable if and only if Q P Q R =, L I P = LO R, and LI R = LO P. For two composable state machines P and R, their composition is the transition system P R = [Q, L I, L O, δ, ˆ, W ] defined as: Q = Q P Q R Bags(MC); L I = L I P LI R and LO = L O P LO R ; δ Q (L I L O {}) Q; ˆ = [ˆ P, ˆ R, [ ]]; W = W P W R {[ ]}; such that the transition relation δ contains for all B Bags(MC) the elements [[ P, R, B],, [ P, R, B]] if and only if [ P,, P ] δ P ; [[ P, R, B],, [ P, R, B]] if and only if [ R,, R ] δ R;

6 1006 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery Bank + Cust Cust MP(Bank) [p0, r0, [ ]]!as!re r0 s0 [p1, r0, [as]] [p0, r1, [ ]] [p2, r0, [re]] Bank + Cust!as!re s2 Bank s1 Cust MP(Bank) r1 Bank Cust MP(Bank)!ap [p1, r1, [as]] [p2, r1, [re]] [p0, r0, [ ]] Bank + Cust!a,!as!re s3 s4 p0 r0 s0 r3 p0 Bank r0 s0 Cust MP(Bank) r2,,!as!re [p1, r2, [ ]] [p0, r0, [ ]]!as [p2, r3, [ ]] [p1, r0, [as]]!re [p1, r0, [as]] [p0, r1, [ ]] [p2, r0, [re]]!as!as s2!re!re p1 p2 s2 s1 p0 r0 s0 p1 p2 s1 r1 s5!ap [p1, r1, [as]] r1 r4,,?ap!as!re [p1, r0, [as]] [p0, r1, [ ]] [p2, r0, [re]]?ap!ap [p2, r4, [i]] [p1, r1, [as]], [p2, r1, [re]]!ap,,?i!re?i s3!as s4!re?i!re s4s2 p1 p2 r3 s1 s3 r3 p3 p4 r2,, [p1, r2, [ ]] p3 p4 r1 r2?ap!ap [p4, r4, [ ]] [p1, r2, [p1, [ ]] r1, [as]] [p2, r3, [p2, [ ]] r1, [re]] F s0(r0)!re?i [v0, r0]!re s5 s3 s4 s5!as!re r3 p3 p4 r2 r4,, [p2, r4, [re]] r4 [p1, r2, [ ]] [p2, r4, [p2, [i]] r3, [ ]]!ap,, [v1, r0] [v2, r0]?i (a) Bank (b) Cust s5 F (c) Bank s0(r1) Cust (d) MP(Bank) [v0, r1] [p4, r4, [p2,[ ]] r4, [i]] r4 F s0(r0)!as!re [v0, r0]!re?i Figure 1. (a) Service [p0, s0, model [ ]] of an online bank, (b) service model of a customer, (c) their composition,!as!reand (d) a [v1, r1] [v2, most r1] permissive!aspartner of the!re online bank service (for k = 1). Final states are depicted by double circles (boes). [p2, r4, [re]] [p4, r4, [ ]] [v1, r0] [v2, r0]!re [p1, s0, [as]] [p2, s0, [re]] F s0(r1) [v0, r1] (r2) F s2(r3) [p2, r4, [re]] [v3, r2] [v4, r3]!as!re [[ P, R, B + []],, [ P, R, B]] if and only if [ P,, P ] δ P, L I P ; [v1, r1] [v2, r1] [p0, s0, [ ]] [p1, s1, [ ]] [p2, s2, [ ]]!as!re F[[ s4(r4) P, R, B],, [!ap P, R, B + []]] if and only if [ [v7, r4] P,, P ] δ P, L O P ; F s1(r2) [p1, s0, [as]] [p2, s0, [re]] F s2(r3)?i [[ [v3, r2] [v4, r3] P, R, B + [p2, []], s3,, [ap]] [ P, [p2, s4, [i]] R, B]] if and only if [ R,, R ] δ R, L I R ; [v8, r4]?ap?i!re [[ P, R, B],, [p3, [s3, P,[ ]] R, B + []]] [p4, s4, if and [ ]] [p1, only s1, [ if ]] [ R,, R ] [p2, δ R, s2, [ ]] L O R. F s4(r4) [v9, r4]!re!ap [v7, r4] [p1, s0, [a?i Eample 2.1. Eamples for service [p2, models s4, [re]] are Bank, Cust, and MP(Bank) in Figs. 1(a), 1(b), and 1(d), [p2, s3, [ap]] [p2, s4, [i]]?a [v8, r4] respectively. Figure 1(a) depicts the model Bank of an online bank service. Bank?ap!re either sends a customer?i [p1, s1, his annual statements (!as) or it reuires the customer to make an appointment with his bank consultant (!re). It accepts additional information being sent by the customer (?i), but it always reminds him F s4 [p3, s3, [ ]] [v9, [p4, r4] s4, [ ]] C [s0,,s1]={[v1 v3]} s3, [ap]] v7: [p2, s4, [i]]!re?ap to C [s0,,s2]={[v2 v4]}?imake an appointment (!re). If the customer agrees on an appointment (?ap), Bank terminates. Figure s4, 1(b) [ ]] depicts a customer!ap C [s2,!ap,s3]={[v4 v5]} [p2, s4, [re]], s3, [ ]] v8: [p4, service Cust. Cust receives either the annual statements () or a reuest for!re F s0 C [s2,,s4]={[v4 v7]} F s1 F an appointment (). He s3 v0: [p0, s0, [ ]] always replies to such a reuest by sending F s4 some information to its customer v9: [p2, s4, [re]] C [s4,,s2]={[v9 v4]} v3: [p1, s1, [ ]] C [s0,,s1]={[v1 v3]} consultant ()!as in the hope!re of receiving his annual statements v5: [p2, s3, [ap]] eventually v7: [p2, (). s4, [i]] Bank and MP(Bank) are C [s0,,s2]={[v2 v4]} F?ap s2?i deterministic;!ap v1: [p1, s0, Cust [as]] is v2: not the [p2, s0, [re]] state r0 has a -labeled transition, which is not a self-loop. Bank v4: [p2, s2, [ ]] C [s2,!ap,s3]={[v4 and Cust v5]} are composable and Fig. 1(c) depicts their composition. v6: [p3, s3, [ ]] v8: [p4, s4, [ ]]!re C [s2,,s4]={[v4 v7]} v9: [p2, s4, [re]] C [s4,,s2]={[v9 v4]} 2.2. Simulation between state machines For comparing two state machines R 1 and R 2, we use a simulation relation [26]. A simulation relation of R 1 by R 2 demands that every transition of R 1 can be mimicked by an eually-labeled transition of R 2.

7 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1007 Definition 2.3. ((Bi-)Simulation relation) Let R 1 = [Q 1, L I, L O, δ 1, ˆ 1, W 1 ] and R 2 = [Q 2, L I, L O, δ 2, ˆ 2, W 2 ] be state machines. A binary relation ϱ Q 1 Q 2 is a simulation relation of R 1 by R 2 if and only if [ˆ 1, ˆ 2 ] ϱ, and for all [ 1, 2 ] ϱ, a (L I L O {}), 1 Q 1 such that [ 1, a, 1 ] δ 1, there eists a state 2 Q 2 such that [ 2, a, 2 ] δ 2 and [ 1, 2 ] ϱ. If such a ϱ eists, we say that R 2 simulates R 1. If ϱ 1 is a simulation relation of R 2 by R 1 as well, then the two services are bisimilar [31] and ϱ a bisimulation relation. Let ϱ be a bisimulation relation between R 1 and R 2. If, for all ( 1, 2 ) ϱ, 1 W 1 if and only if 2 W 2, then ϱ respects final states. We use a strong kind of simulation where even is treated as a normal label. Like for finite state machines, we can also define a (bi-)simulation relation for two transition systems. As the definition is analogous, we do not show it. There may eist several simulation relations of R 1 by R 2. Throughout this article, we shall always confine to minimal simulation relations where minimal refers to set inclusion. If R 2 is deterministic, then there eists a uniue minimal simulation relation (if any simulation relation eists), because for each transition in R 1, there is a uniue mimicking transition in R 2. The minimal simulation relation relates only reachable states of R 1 and R 2. Definition 2.4. (Minimal simulation relation) Let R 1 and R 2 be state machines and R 2 be deterministic. The minimal simulation relation ϱ of R 1 by R 2 is the smallest simulation relation of R 1 by R 2, i. e., ϱ ϱ, for all simulation relations ϱ of R 1 by R 2. Eample 2.2. In the eample of Fig. 1, service MP(Bank) simulates service Cust, but Cust does not simulate MP(Bank). As a conseuence, MP(Bank) and Cust are not bisimilar. As MP(Bank) is deterministic, there eists a minimal simulation relation ϱ of Cust by MP(Bank) with ϱ = {[r0, s0], [r1, s0], [r2, s1], [r3, s2], [r4, s4], [r2, s5]} Partners The idea of SOC is to design comple services from smaller services. To this end, services have to be composed. Clearly, we are interested in service compositions where the involved services interact properly. In this article, proper interaction means that the service composition neither contains deadlocks nor livelocks. To decide proper interaction of service compositions, we restrict ourselves to finite state services (i. e., finite state machines). In this case, deadlocks and livelocks are terminal strongly connected components of a state machine which do not contain a final state. Definition 2.5. ((Terminal) Strongly connected component, (T)SCC) Let P = [Q, L I, L O, δ, ˆ, W ] be a finite state machine. Two states, Q of P are mutually reachable if and only if and. Mutual reachability is an euivalence relation on states of a finite state machine, and its euivalence classes are strongly connected components (SCCs). An SCC S is a terminal strongly connected component (TSCC) if and only if no state of another SCC is reachable from any state of S.

8 1008 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery A terminal strongly connected component with a singleton nonfinal state without a self-loop is a deadlock; every other terminal strongly connected component, which does not contain a final state, is a livelock. Note that our definition of a deadlock differs from the standard definition in literature, as we discriminate between final states and deadlocks. If a finite state machine neither contains a deadlock nor a livelock, it is weakly terminating. In the computation tree logic (CTL) [8], weak termination can be epressed as AG EF ( W ); that is, from every state that is reachable from the initial state, it is always possible to reach a final state. Weak termination is a weaker property than (classical) soundness [1]. In addition to weak termination, soundness reuires that each activity in a higher level model (sometimes referred to as structural transition) can be enabled. A finite state machine R is a partner of a finite state machine P if and only if they are composable and the composition P R of P and R is weakly terminating. Definition 2.6. (Weak termination, partner) Let P and R be two composable finite state machines. For k N, the composition P R = [Q, L I, L O, δ, ˆ, W ] is k-weakly terminating if and only if, for all states = [ P, R, B] Q with ˆ holds: (1) : with W and (2) B() k, for all channels MC. If P R is k-weakly terminating, then R is a k-partner of P. The introduction of the parameter k establishes an artificial limit on the number of pending messages in a single channel. Technically, we use it to enforce (for any value of k) that the composition has a finite number of reachable states, which is a prereuisite for the algorithms studied in the seuel. Pragmatically, it could either represent a reasonable buffer size in the middleware for eample, the result of a static analysis of the communication behavior of a service or be chosen sufficiently large. In the service discovery approach, we assume that the service provider fies a k when publishing its service S. In the remainder of this article, we assume an arbitrary, but fied value of k to be given, and we shall use terms, such as weakly terminating or partner, without preceding k. From [41], we import a result concerning partners of finite state machines. Proposition 2.1. (Eistence of a most permissive partner [41]) For every finite state machine P, which has at least one partner, there eists a deterministic partner MP(P ) such that the following holds: If R is a partner of P, then MP(P ) simulates R. Call MP(P ) a most permissive partner of P. There may eist several most permissive partners of a finite state machine and by definition they simulate each other. Because they are deterministic, these simulation relations must be inverses of each other, thus implying a bisimulation relation. As a conseuence, all most permissive partners are bisimilar. For this reason, the results of this article hold independently of the most permissive partner chosen. Hence, we use a functional notation MP(P ). In [41], we describe an algorithm for computing a most permissive partner MP(P ) of a given finite state machine P and a given bound k of pending messages in the composition P MP(P ). As a most permissive partner MP(P ) must simulate partners of P that may have arbitrary many - transitions, every state of MP(P ) has a -labeled self-loop. Note that this is only a technical construct. In an implementation these transitions can be left out while adjusting the simulation relation accordingly. Furthermore, every state of MP(P ) is a final state, thus ensuring that if any partner is in a final state, the corresponding related state of MP(P ) is a final state as well.

9 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1009 Once having found a most permissive partner, Proposition 2.1 gives us a necessary but unfortunately not a sufficient criterion for deciding whether a finite state machine R is a partner of a finite state machine P : There must eist a simulation relation of R by the most permissive partner MP(P ). As MP(P ) is deterministic, the uniuely determined minimal simulation relation eists, too. The eistence of a minimal simulation relation provides us with the clue to our approach: If a most permissive partner MP(P ) simulates every partner R of P, the composition P R must follow those patterns, which are already present in P MP(P ). To this end, we decompose the state space of P MP(P ) into fragments. These fragments can then be connected to the actual composition P R, where the minimal simulation relation of R by MP(P ) determines the way in which fragments are connected. Eample 2.3. Service Cust is not a partner of service Bank in Fig. 1, because their composition may livelock if Bank sends message re; see the four states forming a TSCC without a final state depicted bold in Fig. 1(c). Figure 1(d) depicts a most permissive partner MP(Bank) of service Bank (for k = 1). Note that an infinite echange of messages re and i is possible in the composition of Bank and MP(Bank), because weak termination only guarantees that a final state can be reached (if MP(Bank) sends!ap). State s5 is depicted only for technical purposes. Every edge to s5 shows a possible set of messages that MP(Bank) can receive, but that will never occur, because Bank cannot send them. Although MP(Bank) simulates Cust (see Fig. 1(b)), Cust is not a partner of Bank. Hence, this eample shows that the eistence of a simulation relation of Cust by a most permissive partner of Bank is only a necessary but not a sufficient criterion for being a partner of Bank. 3. Composing transition systems from fragments In this section, we define the notion of a fragment and show how to compute fragments for a finite state machine P. We then present how a transition system P R can be constructed given the fragments of P and a finite state machine R Fragments Given a finite state machine P and a most permissive partner MP(P ), the composition P MP(P ) yields a transition system TS that consists of transitions of P and MP(P ). We use this property to derive a canonical decomposition of TS into fragments. A fragment describes what P can do between two subseuent transitions of MP(P ). The transitions of MP(P ) link fragments. As P and MP(P ) interact asynchronously, a transition of MP(P ) may correspond to many transitions in the composed system. Conseuently, we bundle these transitions in the composed system to a connection, which links two fragments. In the case of an internal transition in MP(P ), the connection is a bundle of self-loops, which links a fragment to itself. Otherwise, the linked fragments are different, because a noninternal transition has an impact on the pending messages which contribute to the state of the composed system. Eample 3.1. To illustrate the idea of fragments and connections, consider the transition system Bank MP(Bank) in Fig. 2. Dotted arcs denote transitions of Bank; solid arcs denote transitions of MP(Bank) (and are hence transitions of connections). Each ellipse denotes a fragment of Bank. Figure 2 illustrates that each connection either links two fragments or is a bundle of self-loops.

10 p0!as!re p1 p2?ap?i!re p3 p K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery r0 r1 r3 r4 r2, s1,,,!ap,, s0 s!ap, s3 s5!as [p1, s0, [as]] [p0, s0, [ ]]!re [p2, s0, [re]] [p1, s1, [ ]] [p2, s2, [ ]]!ap [p2, s3, [ap]] [p2, s4, [i]]?ap?i [p3, s3, [ ]] [p4, s4, [ ]]!re [p2, s4, [re]] F s0(r0) [v0, r0]!as!re [v1, r0] [v2, r0] F s0(r1) [v0, r1]!as!re [v1, r1] [v2, r1] F s1(r2) F s2(r3) [v3, r2] [v4, r3] F s4(r4) [v7, r4]?i [v8, r4]!re Figure 2. Dividing the state space of Bank MP(Bank) into fragments. [v9, r4] According to our approach, we F s0 shall construct the composition F s1 P R Fof s3 the finite state machines v0: [p0, s0, [ ]] F P and R from fragments of P. To this end, we formally define s4 v3: [p1, fragments s1, [ ]] and connections in terms of!as!re transition systems. v1: [p1, s0, [as]] v2: [p2, s0, [re]] Definition 3.1. (Fragment) A (state space) fragment F = [V, L I, L O, E, Ω] consists of a set V of nodes, F s2 v4: [p2, s2, [ ]] v5: [p2, s3, [ap]] v7: [p2, s4, [i]]?ap?i v6: [p3, s3, [ ]] v8: [p4, s4, [ ]]!re v9: [p2, s4, [re]] C? [s0,,s1]={[v1 C? [s0,,s2]={[v2 C [s2,!ap,s3]={[v4 C [s2,,s4]={[v4!! C [s4,,s2]={[v9? a set L I of input and a set L O of output transition labels with / L I L O, a set E V (L I L O {}) V of (directed) labeled edges, and a set Ω V of final nodes. We do not define an initial state of a fragment, because a fragment may have several initial states. Instead, we introduce an initial state later on when we define the composition P R that is calculated from fragments of P. The initial state shall be the initial state of P MP(P ). When composing a state space from fragments, we may need several copies of one and the same fragment, because different states of R may be related to the same state of MP(P ) and hence to the same fragment. To this end, we introduce fragment instances. Let some fied set FI denote the name space of all fragment instances. Definition 3.2. (Fragment instance) Let n FI. An instance F (n) of a fragment F = [V, L I, L O, E, Ω] is built by renaming the constituents v (V Ω) and e E as follows: v [v, n], e = [v 1,, v 2 ] e [[v 1, n],, [v 2, n]]. Fragment instances are fragments again. For each fragment instance n, we use n as an identifier to make all constituents disjoint from constituents of other fragment instances. Later on, the identifier of a fragment instance refers to a state of R.

11 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1011 For connecting fragments, more precisely, for connecting nodes of different fragment instances, we use the concept of connections. Definition 3.3. (Connection, instance) A connection C from fragment F 1 = [V 1, L I, L O, E 1, Ω 1 ] to fragment F 2 = [V 2, L I, L O, E 2, Ω 2 ], with V 1 V 2 =, is a subset of V 1 (L I L O {}) V 2. An instance C(m, n) of a connection C is defined as C(m, n) = {[[v 1, m],, [v 2, n]] [v 1,, v 2 ] C}, for m, n FI. Call an element of a fragment (instance) a transition. If C is a connection from fragment F 1 to fragment F 2, then C(m, n) is a connection from fragment instance F 1 (m) to fragment instance F 2 (n). Given a set of fragments and a set of connections we can build a transition system by connecting states of different fragments according to the connections. Definition 3.4. (Transition system of fragments) A set F 1,..., F n of fragments with F i = [V i, L I, L O, E i, Ω i ] for i = 1,..., n and pairwise disjoint sets of nodes, together with a set C 1,..., C m of connections of F 1,..., F n to F 1,..., F n defines the labeled transition system TS = [V, L I, L O, E] with a set V = n k=1 V k of states and a set E = n i=1 E i m j=1 C j of (directed) labeled transitions. We do not define initial and final states of such a transition system, but we define these states later on when we consider fragments of a given finite state machine P. Net, we show how to define the set of fragments and connections of a given finite state machine P Fragments and connections of a finite state machine P In the following, we present how the sets F(P ) of fragments and C(P ) of connections for a given finite state machine P can be computed. These sets provide those ingredients that are needed to calculate composed systems involving P. To calculate the fragments and the connections of P, we construct the transition system P MP(P ) of P and an arbitrarily chosen but fied most permissive partner MP(P ) of P. As already mentioned, we can compute MP(P ) from P and a fied bound k that limits the number of pending messages. Our results do not depend on the choice of MP(P ). As P and MP(P ) are finite, we can indeed compute the sets of fragments and connections. Definition 3.5. (F(P ), C(P )) Let MP(P ) = [Q, L I, L O, δ, ˆ, W ] be a most permissive partner of P = [Q P, L I P, LO P, δ P, ˆ P, W P ]. Define the set F(P ) = {F Q} of fragments of P with F = [V, L I P, LO P, E, Ω], where V = {[ P,, B] [ P,, B] Q P MP(P ) }, E = {[[ P,, B],, [ P,, B ]] [[ P,, B],, [ P,, B ]] δ P MP(P ) [ P,, P ] δ P }, and Ω = {[ P,, B] [ P,, B] V P W P W B = [ ]}.

12 !ap [p2, s3, [ap]] [p2, s4, [i]] (v3, r2) (v4, r3)?ap?i F s1(r2) F s2(r3) [p2, s3, [ap]] [p2, s4, [i]] [v3, r2] [v4, r3] [p3, s3, [ ]] [p4, s4, [ ]]?ap?i F s4(r4)!re (v7, r4) [p3, s3, [ ]] [p4, s4, [ ]] F s4(r4)?i [p2, s4,!re [re]] [v7, r4]?i (v8, r4) [p2, s4, [re]]!re [v8, r4]!re (v9, r4) 1012 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery [v9, r4]!as!as [p1, s0, [as]] [p1, s0, [as]] [p1, s1, [ ]] [p1, s1, [ ]] [ [p F s0 v0: [p0, s0, [ ]] F s0!as!re v0: [p0, s0, [ ]] v1: [p1,!as s0, [as]] v2:!re[p2, s0, [re]] v1: [p1, s0, [as]] v2: [p2, s0, [re]] F s1 F s3 v3: [p1, s1, [ ]] F s1 F s2 v3: [p1, s1, [ ]] v4: [p2, s2, [ ]] F s2 v4: [p2, s2, [ ]] F s4 v5: [p2, s3, [ap]] v7: [p2, s4, [i]]?ap F s4?i v5: [p2, s3, [ap]] v7: [p2, s4, [i]] v6: [p3,?ap s3, [ ]] v8: [p4,?i s4, [ ]]!re v6: [p3, s3, [ ]] v8: [p4, s4, [ ]] v9: [p2, s4, [re]]!re F s3 v9: [p2, s4, [re]] (a) Fragments F(Bank) C [s0,,s1]={[v1 v3]} [s0,,s2]={[v2 v4]} C [s0,,s1]={[v1!ap v3]} [s2,,s3]={[v4 v5]} C [s0,,s2]={[v2 v4]} [s2,,s4]={[v4!ap v7]} C [s2,!ap,s3]={[v4 v5]} C [s4,,s2] ={[v9 v4]} C [s2,,s4]={[v4 v7]} C [s4,,s2]={[v9 v4]} (b) Connections C(Bank) Figure 3. (a) The sets of all fragments and (b) all connections (ecept for the -loops) of Bank in Fig. 1(a). Dotted lines denote fragment internal transitions and solid lines connections. Define the set C(P ) = {C [,, ] [,, ] δ} of connections of P, with C [,, ] = {[[ P,, B],, [ P,, B ]] [[ P,, B],, [ P,, B ]] δ P MP(P ) [,, ] δ}. Definition 3.5 builds the composition P MP(P ). For each state Q of MP(P ), there is a fragment F = [V, L I P, LO P, E, Ω]. Fragment F describes the behavior of P while MP(P ) is in state. This behavior yields the sets V of nodes and E of edges of F. Each transition of F is a transition of P. Final states of fragment F are those states of F, where P and MP(P ) are in a final state and B is the empty multiset. A connection C [,, ] describes a set of transitions in the composed system P MP(P ) that originates from a single transition [,, ] in MP(P ). As MP(P ) is by Proposition 2.1 deterministic, connections bundle either -labeled self-loops, sending transitions or receiving transitions linking different fragments. Note that F may be empty for some state Q that is not reachable in the composition P MP(P ). Accordingly, we may have empty connections resulting from transitions to state which do not eist in P MP(P ). This fragment and also the empty connections do not play any role in our approach and thus shall not be shown in the graphics. Recall that due to the introduced bound k of pending messages, F(P ) and C(P ) are finite. Eample 3.2. From the composition Bank MP(Bank) in Fig. 2, we calculate the fragments F(Bank) and the connections C(Bank) of the online bank service Bank; see Fig. 3. For each of the five reachable states s0, s1, s2, s3, and s4 of the most permissive partner MP(Bank), there is one fragment in Fig. 3(a). For instance, the fragment for the initial state s0 is defined as F s0 = [{v0, v1, v2}, L I, L O, {[v0,!as, v1], [v0,!re, v2]}, ]. Note that F(Bank) also contains a fragment F s5, but F s5 is unconnected and does not contain any node, because state s5 is not reachable in Bank MP(Bank). Connection C [s0,,s1] is the singleton set {[v1,, v3]}, where v0 relabels state [p0, s0, [ ]], v1 relabels state [p1, s0, [as]], and so on. All connections (ecept for the self-loops) are singleton sets. Net, we show how we can construct a transition system of P R given a finite state machine P and the set of fragments F(P ) and connections C(P ) of P Composing a transition system from fragments Throughout this section, we fi a finite state machine P. Let MP(P ) be the most permissive partner of P that has been used for constructing the sets F(P ) of fragments and C(P ) of connections of P.

13 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1013 By Proposition 2.1, a minimal simulation relation of a finite state machine R by MP(P ) is a necessary condition for R being a partner of P. That means, if MP(P ) does not simulate R, then R is not a partner of P (with respect to the given message bound k) and there is no use in constructing a transition system TS from R, F(P ), and C(P ) that reflects P R. For this reason, we may assume eistence of a minimal simulation relation ϱ Q R Q MP(P ) when constructing TS from F(P ) and C(P ). The eistence of ϱ is checked during the construction of TS by relating states of R to fragments of F(P ). To this end, we apply a depth-first search through the state space of R. As the minimal simulation relation is uniue, there is for each transition in R only one continuation in MP(P ). As a conseuence, we can check the simulation relation during this depth-first search. The time and space reuired for finding ϱ is linear in the product of the number of states and edges of MP(P ) (i. e., the number of fragments and connections) and R. We build the transition system TS by gluing fragments and connections of P. For constructing TS, we have to define its set F(TS) of fragments and C(TS) of connections. We add, for each [ R, ] ϱ, a fragment F to the set F(TS). More precisely, as R might not be the only state of R that is related to, we add a fragment instance F ( R ). Accordingly, the set C(TS) is determined by the connections of P and the fragments F of F(TS), where state is used in ϱ. Definition 3.6. (Construction of TS) For a finite state machine P let MP(P ) = [Q, L I, L O, δ, ˆ, W ] be the most permissive partner of P that has been used for constructing the sets F(P ) of fragments and C(P ) of connections of P. Let R = [Q R, L I, L O, δ R, ˆ R, W R ] be a finite state machine, and let ϱ Q R Q be the minimal simulation relation of R by MP(P ). Compose transition system TS from the following fragments and connections of P : F(TS) = {F ( R ) [ R, ] ϱ}, C(TS) = {C [,, ]( R, R ) [ R, ], [ R, ] ϱ [ R,, R ] δ R [,, ] δ}. Let the initial state of TS be the initial state of P MP(P ) in fragment instance Fˆ (ˆ R ). Let the set of final states of TS consist of all final nodes occurring in those fragment instances F ( R ) where R W R. Fragment instance Fˆ (ˆ R ) is definitely contained in F(TS) and contains an instance of the initial state of P MP(P ); otherwise, there would not eist a minimal simulation relation of R by MP(P ). We use this state as the initial state of TS. Final states of TS are the final states of all fragment instances F ( R ) where R is a final state in R. Eample 3.3. In our eample, we construct the state space of Bank Cust from the fragments and connections of the online bank service Bank (see Fig. 3) and the customer service Cust (see Fig. 1(b)). We have [r0, s0], [r1, s0] ϱ. Hence, we add two instances of fragment F s0, F s0 (r0) and F s0 (r1), to F(TS). As we have transition [r0,, r1] δ Cust in Cust, we add connection C [s0,,s0] (r0,r1) to C(TS). Net, we add fragment F s1 (r2) to F(TS), because [r2, s1] ϱ. From transition [r1,, r2] δ Cust in Cust and from transition [s0,, s1] δ MP(Bank) in MP(Bank) we conclude that connection C [s0,,s1] (r1, r2) has to be added to C(TS), and so on. Figure 4 shows the resulting transition system TS. Note that [r4, s4] ϱ and presence of transition [r4,, r2] δ Cust (see Fig. 1(b)) yields [r2, s5] ϱ. However, as s5 is not reachable in MP(Bank), there is no -labeled transition leaving F s4 (r4). Transition system

14 p0 r0 s0!as!re s2 p1 p2 s1 r1!ap?ap,?i!re s3 s4 r3 p3 p4 r2,, s K. Wolf et al. r4 / Guaranteeing Weak Termination,, in Service Discovery!ap,,!as!re [p1, r0, [as]] [p0, r1, [ ]] [p2, r0, [re]]!as!re [p1, r1, [as]] [p2, r1, [re]] [p1, r2, [ ]] [p2, r3, [ ]] [p2, r4, [i]]?i [p0, s0, [ ]]!as!re, [as]] [p2, s0, [re]] 1, [ ]] [p2, s2, [ ]]!ap [p2, s3, [ap]]?ap [p3, s3, [ ]] [p2, s4, [i]]?i [p4, s4, [ ]]!re [p2, s4, [re]] F s0(r0) [v0, r0]!as!re [v1, r0] [v2, r0] F s0(r1) [v0, r1]!as!re [v1, r1] [v2, r1] F s1(r2) F s2(r3) [v3, r2] [v4, r3] F s4(r4) [v7, r4]?i [v8, r4]!re [v9, r4] [p4, r4, [ ]]!re [p2, r4, [re]] [p0, s0, [ ]]!as!re [p1, s0, [as]] [p2, s0, [re]] [p1, s1, [ ]] [p2, s2, [ ]]!ap v0: [p0, s0, [ ]]!as!re, s0, [as]] v2: [p2, s0, [re]] F s1 [p2, s3, [ap]] Constructing the state space Bank Cust from the fragments of Fig. 3(a) for service Cust of Fig. 1(b).?ap Figure 4. Bank Cust has a livelock (depicted in bold font); the only final state is [v3, r2]. v3: [p1, s1, [ ]] F s3 v5: [p2, s3, [ap]] F s4 v7: [p2, s4, [i]] C [s0,,s1]={[v1 F?ap C [s0,,s2]={[v2 v4]} s2?i!ap TS contains v4: [p2, as2, livelock, [ ]] because the states in fragment instances C [s2,!ap,s3]={[v4 F v5]} v6: [p3, s3, [ ]] v8: [p4, s4, [ ]] s2 (r3) and F s4 (r4) form a TSCC in TS C [s2,,s4]={[v4 v7]} without a final node. Thus, Cust is not a partner!re of Bank. v9: [p2, s4, [re]] C [s4,,s2]={[v9 As the main result of this section, we prove that the constructed transition system TS indeed reflects P R; that is, TS and P R are bisimilar. Intuitively, a stronger result than a bisimulation for eample, an isomorphism cannot be achieved due to unfoldings of cycles. v3]} v4]} [p3, s3, [ ]] [p2, s4? [p4, s4 [p2, s4, Theorem 3.1. Let R be a partner of P, and let TS be as defined previously. Then there eists a bisimulation relation that respects final states between TS and P R. Proof: As R is a partner of P, there eists a minimal simulation relation ϱ of R by MP(P ) that is used for constructing TS. We claim that the following relation ϱ Q P R Q TS is the reuired bisimulation: ϱ = { [ P, R, B], [[ P,, B], R ] [ P, R, B] Q P R, [ R, ] ϱ, [[ P,, B], R ] F ( R )} By construction of TS, for every pair [ R, ] ϱ, F ( R ) F(TS); so ϱ is defined. The initial state of P R is [ˆ P, ˆ R, [ ]], the initial state of TS is [[ˆ P, ˆ, [ ]], ˆ R ], so ϱ relates the initial states of the considered systems. Let [ P, R, B], [[ P,, B], R ] ϱ. A transition in P R originates either from a transition in P or from a transition in R. A transition of P leads to some state [ P, R, B ] in P R. Obviously, the same transition is possible in state [ P,, B] of the composition P MP(P ) as well, leading to [ P,, B ] there. Both states and the corresponding transition between them are, thus, part of fragment F, which proves that a transition from [[ P,, B], R ] to [[ P,, B ], R ] with the same label is present in TS. Analogously, a transition internal to a fragment (which again stems from a transition in P ) used in TS can be mimicked in P R.

15 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery 1015 Consider now a transition from state [ P, R, B] to state [ P, R, B ] of P R that originates from a transition [ R,, R ] in R. As ϱ is a simulation, there is a transition [,, ] with [ R, ] ϱ, for some. Both transitions change message bag B in the same way, because they carry the same label. Fragment F and connection instance C [,, ]( R, R ) have been included in the construction of TS. This connection instance contains the reuired transition from [[ P,, B], R ] with to [[ P,, B ], R ] in TS. The other way round, consider an -labeled transition in TS from [[ P,, B], R ] to some state [[ P,, B ], R ] that is part of an included connection instance C [,, ]( R, R ). By construction of TS, we have [ R,, R ] δ R. As enabledness of a transition in P R and its effect on B just depend on B and, transition [[ P, R, B],, [ P, R, B ]] must be present in P R. Let [ P, R, B] be a final state in P R that is, P W P, R W R, and B = [ ]. This means that, for any, [[ P,, B], R ] is a final state in F and, by construction of TS, [[ P,, B], R ] is final in TS (recall that every state in MP(P ) is a final state). The other way round, a state in TS is a final state according to Definition 3.6 if R is a final state and the state of the fragment instantiated with R is final. By construction of fragments, this implies P W P and B = [ ], so [ P, R, B] is a final state in P R. Bisimilar systems are indistinguishable for any formula of the temporal logic CTL that uses atomic propositions which are preserved by the considered bisimulation relation (see [10], for instance). As weak termination can be epressed as AG EF ( W ) in this logic, Theorem 3.1 implies the following corollary. Corollary 3.1. P R is weakly terminating if and only if TS is. Corollary 3.1 enables us to verify TS instead of the state space of P R, because the bisimulation relation between both transition systems guarantees that if weak termination holds in TS, it also holds in the state space of P R; and if weak termination does not hold in TS, it also does not hold in the composition P R. We can directly apply the results presented in this section to the setting of service discovery. A service provider publishes its service P in a service registry. The service broker then computes the fragments and connections of P. Upon a find reuest of a service R, the broker checks first whether P and R are composable. In a second step, the broker computes a transition system TS by composing fragments of P and verifies it for weak termination. Our goal is to speed up a find reuest. This can be achieved if the computed transition system is significantly smaller than the state space of P R. In the net section, we show a way to reduce the size of the calculated fragments. That way, we can compute a transition system TS, which is significantly smaller than TS, while guaranteeing that TS is weakly terminating if and only if TS is. 4. Fragment reduction In this section, we present techniues that reduce the size of the calculated fragments and the number of transitions of each connection. That way, we achieve the actual reduction of computational effort that we would like to have at the time of a find reuest. To make this reduction applicable in our setting, we have to guarantee that the transition system computed from a finite state machine R and the reduced fragments of a finite state machine P is weakly terminating if and only if the transition system composed

16 1016 K. Wolf et al. / Guaranteeing Weak Termination in Service Discovery from R and the unreduced fragments of P is. The actual challenge is to guarantee this property for any R. The reduction we are using is different from usual state space reduction known from eplicit state space verification [10, 39]. Whereas traditional state space reduction is typically applied during the state space construction, we can apply our techniues after the state space construction. This is not to say that usual state space reduction techniues like the symmetry method [9, 12] or partial-order reduction [15, 32, 37] are out of scope in our setting. The problem is that application of these techniues must not interfere with the procedure of composing fragments to a transition system TS as described in the previous section. To this end, we concentrate on an a posteriori state space reduction that can be applied immediately after constructing the fragments. The reductions are local to a fragment or local to a connection. A reduction local to a fragment corresponds to a state space reduction in every instance of the fragment present in the state space. A reduction local to a connection impacts the transitions of this connection and the source and target fragments. It is the same as a reduction in every instance of the connection in the generated state space. Each fragment of P is reduced only once, but the outcome of the reduction is available in every transition system that is constructed from the reduced fragments of P. We continue by first collapsing strongly connected components inside fragments to single states. In a second step, we define dedicated reduction rules that reduce the number of states of the fragments. Hereby, we neither remove a fragment nor change the connectivity between fragments (i. e., we do not remove connections). We may, however, remove redundant transitions in connections Strongly connected component based fragment reduction Deadlocks and livelocks are terminal strongly connected components which do not contain a final state. If this component is a singleton state without a self-loop, we have a deadlock, otherwise a livelock. In this light, collapsing strongly connected nodes inside a fragment to single nodes is an obvious reduction. It may turn a livelock into a deadlock, but the reduced system is weakly terminating if and only if the original system is. Definition 4.1. (SCC reduction) Let F be a set of fragments and C be a set of connections. The reduced sets F and C are defined as follows. For each fragment F = [V, L I, L O, E, Ω], let F be the euivalence on V where F if and only if and are mutually reachable using edges in E. Let F = [V, L I, L O, E, Ω ] be defined by V = [V ] F ; E = {[[] F, [ ] F ] 1 [] F, 1 [ ] F : [ 1, 1 ] E}; and Ω = {[] F [] F Ω }. Let F = {F F F}. For a connection C from fragment F 1 to fragment F 2, let [[] F1, [ ] F2 ] C if and only if there eist 1 [] F1 and 1 [ ] F2 with [ 1, 1 ] C. Let C = {C C C}.